Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
5
Helpful
5
Replies

anyconnect double auth

kp-tkr2014
Level 1
Level 1

‎06-21-2016 06:05 PM - edited ‎02-21-2020 08:52 PM

Hi,

How can I enable  double authentication  for anyconnect vpn users .

For example  

1) username  and certificate

2) useranme from ldap + username from asa local database 

If I don't  need a group selection (Users should not choose a group  before they connect to vpn) , then do i need  below part ? 

tunnel-group Test webvpn-attributes
group-alias test  disable

Thanks

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-21-2016 06:29 PM

Hi,

Please check the following link for the configuration:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

kp-tkr2014
Level 1
Level 1
In response to Aditya Ganjoo

‎06-22-2016 12:04 AM

Hi,

If I don't  need a group selection (Users should not choose a group  before they connect to vpn) , then do i need  below part ? 

tunnel-group Test webvpn-attributes
group-alias test  disable

Thanks

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to kp-tkr2014

‎06-22-2016 12:07 AM

Hi,

If you do not mention anything it would take care of the same.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

muhsi_2015
Level 1
Level 1
In response to Aditya Ganjoo

‎06-22-2016 11:18 PM

Hi,

as per the document   for Single Authentication and Certificate Validation below is the sample configuration

tunnel-group RA type remote-access
tunnel-group RA general-attributes
 authentication-server-group LOCAL
 default-group-policy Group1
 authorization-required
tunnel-group RA webvpn-attributes
 authentication aaa certificate
 group-alias RA enabl

As per my setup i  have only the below part  

tunnel-group RA type remote-access
tunnel-group RA general-attributes
 authentication-server-group LOCAL
 default-group-policy Group1
 authorization-required

Since the user does not want choose the  group  I have removed  the below part 

tunnel-group RA webvpn-attributes
 authentication aaa certificate
 group-alias RA enable

Am i doing correct ? 

The question is  now  for single authentication + certificate validation how the final configuration look like ?

Thanks

0 Helpful

ewilliamson4922
Level 1
Level 1
In response to muhsi_2015

‎06-23-2016 05:07 PM

so under general-attributes for the tunnel there is a secondary authentication server command that will allow you to setup dual auth, the idea being  something like they login with the local username database, and then use the username and password for like RADIUS or LDAP. To see if your configuration is good you need to verify your LDAP config for aaa-server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents